Web lists-archives.com

Re: Recreating history of a package


On Sat, 2019-02-16 at 12:22:04 +0000, peter green wrote:
> 2. Snapshot.debian.org is only offered over plain insecure http. For
>    recent versions the packages can be verified against the
>    Packages/Sources files which can in turn be verified with gpg but
>    older versions are more problematic to verify as the relevant
>    packages/sources files are only signed with 1024 bit keys or not
>    signed at all. This is made worse by the fact that
>    snapshot.debian.org has an API to obtain the first snapshot a
>    package is available in but not any API to find the last snapshot
>    it was available in.

http://snapshot.debian.org/ is now offered over https too. Its front-page
even documents its usage as such. :)